Skip to main content

About code scanning

You can use 代码扫描 to find security vulnerabilities and errors in the code for your project on GitHub.

代码扫描 is available for all public repositories on 代码扫描 is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. 更多信息请参阅“GitHub 的产品”。

About 代码扫描

代码扫描 是一项功能,可用于分析 GitHub 仓库中的代码,以查找安全漏洞和编码错误。 分析发现的任何问题都显示在 GitHub 中。

You can use 代码扫描 to find, triage, and prioritize fixes for existing problems in your code. 代码扫描 also prevents developers from introducing new problems. You can schedule scans for specific days and times, or trigger scans when a specific event occurs in the repository, such as a push.

If 代码扫描 finds a potential vulnerability or error in your code, GitHub displays an alert in the repository. After you fix the code that triggered the alert, GitHub closes the alert. For more information, see "Managing 代码扫描 alerts for your repository."

To monitor results from 代码扫描 across your repositories or your organization, you can use webhooks and the 代码扫描 API. For information about the webhooks for 代码扫描, see "Webhook events and payloads." For information about API endpoints, see "代码扫描."

To get started with 代码扫描, see "Setting up 代码扫描 for a repository."

About billing for 代码扫描

代码扫描 uses GitHub Actions, and each run of a 代码扫描 workflow consumes minutes for GitHub Actions. For more information, see "About billing for GitHub Actions."

About tools for 代码扫描

You can set up 代码扫描 to use the CodeQL product maintained by GitHub or a third-party 代码扫描 tool.

About CodeQL analysis

CodeQL 是由 GitHub 开发的代码分析引擎,用于自动执行安全检查。 可以使用 CodeQL 分析代码,并将结果显示为 代码扫描 警报。 For more information about CodeQL, see "About code scanning with CodeQL."

About third-party 代码扫描 tools

代码扫描 可与输出静态分析结果交换格式 (SARIF) 数据的第三方代码扫描工具互操作。 SARIF 是一个开放的标准。 更多信息请参阅“代码扫描 的 SARIF 输出。”

You can run third-party analysis tools within GitHub using actions or within an external CI system. For more information, see "Setting up code scanning for a repository" or "Uploading a SARIF file to GitHub."